The European Court of Justice ruled last October that the data sharing framework between the EU and US, referred to as Safe Harbor, is no longer valid.
On 2 February 2016, the EU and US authorities agreed in principle on a 'new' arrangement, known as the 'EU-US Privacy Shield', which is intended to replace 'Safe Harbor'.
But is the EU-US Privacy Shield really the solution which EU and US businesses have been waiting for?
A not so 'safe' harbor
Principle 8 of the Data Protection Act 1998 (the 'Act') requires that personal data must not be transferred outside the EEA without adequate protection for the rights and freedoms of individuals. The Safe Harbor scheme was designed to ensure that the transfer of EU citizens' data to the US (but not other non-EEA countries) was adequately protected in line with Principle 8.
The Safe Harbor framework worked by allowing US companies to self-certify their adherence to a number of principles of compliance with EU data protection legislation. The scheme meant that information could be easily and routinely transferred to US companies who were Safe Harbor registered, without the need to put in place other methods to comply with Principle 8.
In the wake of revelations of mass surveillance operations by the National Security Agency ('NSA'), Safe Harbor came under the microscope of the European Court of Justice who ruled the Safe Harbor framework to be invalid as it does not adequately protect the privacy rights of EU consumers. For more on the Safe Harbor decision click here.
With many businesses previously using the Safe Harbor scheme to transfer data to the US across subsidiaries, to partner companies or as part of their IT infrastructure, businesses need to ensure that they are continuing to protect personal data relating to customers and employees when the data leaves the UK.
The EU-US Privacy Shield
Following the finding of invalidity, discussions between the EU and the US have been ongoing with a view to replacing the Safe Harbor scheme. On 2 February 2016, the EU-US Privacy Shield replacement was announced which hopes to produce a workable solution.
The EU-US Privacy Shield aims to provide a more robust and transparent mechanism through which EU-US transfers of EU citizens' data can be protected. The new arrangement will create stronger obligations for US companies to protect personal data and greater enforcement measures by US authorities. This will include limiting intelligence agencies' access to personal data for law enforcement and national security purposes, only to the extent that such processing is 'necessary and proportionate'. European citizens will have increased rights of redress, with companies having deadlines to reply to complaints and the option to refer a dispute to a newly appointed Ombudsman. Furthermore, an annual joint review will closely monitor the implementation of the scheme.
So what are the key messages to take away from this week's announcement?
Firstly, there continues to be a lack of clear guidance as to how organisations should proceed in the interim until the EU-US Privacy Shield comes into force. The Article 29 Working Party, which comprises representatives from national data protection authorities and provides advice to the EU Commission on data protection matters, has stated that enforcement will likely be left to individual Member States' data protection authorities. The Information Commissioner's Office ('ICO'), the UK's data protection authority, has encouraged organisations to review their transfers to the US and consider alternatives, but has not been clear as to how heavy handed enforcement would be in the event that organisations fail to do so.
Secondly, much like the now defunct Safe Harbor scheme before it, the longevity of the EU-US Privacy Shield is directly related to the security situation in the US and the extent to which lawmakers can prove EU citizens' data can be adequately protected under the new scheme. Can the EU-US Privacy Shield really rebuild the lost trust in the safe harbor scheme?
A state of uncertainty
For the time being, we continue to live in a state of uncertainty. The draft 'adequacy decision' still needs to be published (expected by the end of February) and the Article 29 Working Party will then need to consider whether its provisions are adequate and consult with Member States. The Article 29 Working Party has stated that it will assess the proposed EU-US Privacy Shield against 'four essential guarantees' to enable intelligence activities to take place:
- processing should be based on clear, precise and accessible rules;
- any processing should be necessary and proportionate with regards to any legitimate national security objectives;
- an independent body must provide effective oversight; and
- individuals must be provided with effective remedies before an independent body.
The coming months with bring further details of how the EU-US Privacy Shield will function in practice. Of course, it is entirely possible that it may not get that far. The lack of legal certainty at present is concerning for many organisations. Helpfully, the Article 29 Working Party has confirmed that existing provisions such as model contract clauses and binding corporate rules (see below) will remain valid for now, but has also stated that as part of its review it will consider whether these provisions will remain valid following the introduction of the EU-US Privacy Shield. Ultimately, the success of the new scheme will be reliant both upon both approval from the Article 29 Working Party and widespread adoption from organisations in both the EU and US.
Unless and until the EU-US Privacy Shield framework is finalised, businesses should consider alternative measures to protect themselves. In particular, we suggest that businesses should review the following:
- Does personal data really need to be shared with the US entity? Is there another method of achieving the same objective?
- Can the data be anonymised without losing its usefulness? If so, the Act will not apply (it only applies to data which can identify a living individual, either itself or in conjunction with other data in the organisations' possession). Effective anonymisation can be difficult to achieve in practice.
- Can model contract clauses be put in place? These clauses have been approved by the EU Commission as ensuring adequate protection for the rights of individuals and can be used for intra-group transfers or transfers to other businesses.
- If the transfer is intra-group, can you apply for approval for binding corporate rules? The application process can be cumbersome, but the result is better flexibility for companies with complex and ever-changing group structures.
If businesses choose not to comply with the above, they can evaluate their compliance by way of 'self-assessed adequacy'. This involves consideration of a wide range of factors but is a risky option as it does not automatically mean compliance with Principle 8.
The issue of transfers of personal data from the EU to the US continues to be in the spotlight. With a major shake-up of EU data protection legislation expected in 2018 which could see businesses facing fines of up to 4% of their global annual turnover for a breach, the change from Safe Harbor to the new EU-US Privacy Shield is the start of a greater transformation in the complex world of data protection compliance that businesses simply can't afford to ignore.